Answer the question
In order to leave comments, you need to log in
How to sign data in JavaScript and validate it in PHP?
Hello everyone
The essence of the question is this
Let's say I want to collect information about the user environment using JavaScript
Well, roughly speaking, for example, get the current URL of the document.location.href page
And then send this data to my script
Question - how to protect the sent data so that the user does not change it?
That is, what JavaScript received, then it was sent to me
. This option comes to mind
1) On the server, we generate a random key (it contains the time of its creation, the duration of the action, etc.)
2) This key is used to "sign" the data sent JavaScript
3) On the server, the signing key is compared with the incoming data
If the old key is used or the data is not matched, the validation fails of course, etc.
How can this algorithm be implemented?
1) How can you "sign" a string with data with a given key in JavaScript?
Ie get some hash from a given string using a given key
2) How to check the validity of the data in PHP?
Well, that is, in fact, sign the original data with the same key, but already in PHP
On the other hand, with sufficient knowledge of JS, you can also sign fake data ...
Here the question is not so much in strict data integrity, but to make life as difficult as possible for those who are these wants to change the data
In general, does anyone have any considerations? :)
Thank you all for the hint
Answer the question
In order to leave comments, you need to log in
After you do all this, data forgery becomes exactly one step more difficult - to get the key and encode the data on it, instead of just sending plain text data.
You just have to accept the fact that 99.99% of potential users don't give a shit about your scripts.
And for those who need it, they will still send whatever they want. Just do not do any critical/secret things based on this data.
On the other hand, with sufficient knowledge of JS, you can also sign fake dataThat's it. You can make client data spoofing difficult, but you can't completely prevent it.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question